AD - External TCP Scanner Signature

Unanswered Question
Aug 11th, 2010

I am getting several of these from different workstations on my network. I need to find out if this is really a worm outbreak behavior or indeed a false positive.  I changed the attacker IP for this post but they are coming from internal IP's on my network.

Attacker Address

Attacker Port

Target Address

Target Port

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.2

0.0.0.0

443

10.0.0.2

0.0.0.0

443

10.0.0.2

0.0.0.0

443

10.0.0.2

0.0.0.0

443

10.0.0.3

0.0.0.0

80

10.0.0.3

0.0.0.0

80

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.5

0.0.0.0

80

10.0.0.5

0.0.0.0

80

10.0.0.5

0.0.0.0

80

10.0.0.5

0.0.0.0

80

10.0.0.6

0.0.0.0

80

10.0.0.6

0.0.0.0

80

10.0.0.7

0.0.0.0

443

10.0.0.7

0.0.0.0

443

10.0.0.7

0.0.0.0

443

10.0.0.7

0.0.0.0

443

10.0.0.8

0.0.0.0

443

10.0.0.8

0.0.0.0

443

10.0.0.8

0.0.0.0

443

10.0.0.8

0.0.0.0

443

Is this really a behavior of a worm outbreak? Or could it be that the "attackers" are establishing web/ssl connection to targets which is unknown or not tagged as internal zone hence by default, the zone of the target is external. As a result, this signature was fired.

Seek advise/views from the domain experts here. TIA.

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fringer Tue, 08/17/2010 - 03:55

Joseison;

   These signatures key on hosts that are sending TCP SYN requests to multiple destinations in a single zone and not receiving the expected SYN-ACK in return within a specified time.  The number of scanned destinations in turn crosses the configured/learned scanner threshold.  Therefore it is key that the sensor see both directions of traffic, or there is a risk of false positive detection.

  It is not likely these sources are creating legitimate connections, as the AD engine looks for the lack of the SYN-ACK as an indicator of scanning.  This could be caused by hosts that are performing network management/vulnerability assessment duties.  Again, the one concern is if the sensor is not seeing the return traffic for legitimate connections, and in turn the missing connection response is collected and the sensor considers this a potential worm activity.  Ultimately, you will need to investigate the sources of the alerts (if within your control) to see if they are performing full connections to the destinations (perhaps through the use of Wireshark on the reported hosts).

  You can find out more about the functionality of the anomaly detection engine here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_anomaly_detection.html

Scott

Scott,

  I am also observing the same Signatures getting fired through my IPS to Dest ports 443 & 5222. I cross checked the source machines and they dont use any scanner applications. Need to know why the destination address are showing as 0.0.0.0 & and the interface name as sy0_0 which is not assigned to any of the interface.

Also can this be an worm activity from my internal zone?

Kiran

Scott Fringer Fri, 10/22/2010 - 05:47

Kiran;

  Yes, there is potential that these signature events indicate worm activity.  The destination addresses are 0.0.0.0 as the sensor is only tracking the SYN activity from the hosts; it is not necessary to track the destination addresses.  The hosts in question do not need to be restricted to using a scanning application to trigger this signature; it is simply a potential source for false positives.  It is also the "scanning" software is a worm looking for potential hosts to infect.

It is also possible if the IPS is only seeing one direction of traffic (asymmetric traffic flows) and does not see the return SYN-ACK that these signatures will fire.  In such an environment it is usually necessary to disable the anomaly detection engine or work to correct the asymmetric traffic flow.

Scott

Scott Fringer Fri, 10/22/2010 - 06:08

Kiran;

  The information is tracked across all interfaces, and therefore is not limited to a single interface.  The system simply summarizes to a system interface based on the signature firing logic- the detection is specific to the source IP address only.

Scott

Actions

This Discussion

Related Content